XSS Vulnerability in SvelteKit Framework Affects Web Application Development
CVE-2025-32388

5.4MEDIUM

Key Information:

Vendor

Sveltejs

Status
Kit
Vendor
CVE Published:
15 April 2025

What is CVE-2025-32388?

SvelteKit, a framework known for building robust web applications, is susceptible to a cross-site scripting (XSS) vulnerability prior to version 2.20.6. This flaw arises when developers improperly handle unsanitized search parameter names, particularly within server load functions that iterate over event.url.searchParams. An attacker can exploit this vulnerability by crafting a malicious URL, tricking users into clicking a link that enables the execution of harmful scripts in their browsers. Users of SvelteKit should update to version 2.20.6 or later to mitigate this risk.

Affected Version(s)

kit >= 2.0.0, < 2.20.6

References

https://github.com/sveltejs/kit/security/advisories/GHSA-...
x_refsource_CONFIRM
https://github.com/sveltejs/kit/commit/d3300c6a6790859026...
x_refsource_MISC
https://github.com/sveltejs/kit/releases/tag/%40sveltejs%...
x_refsource_MISC

CVSS V3.1

Score:
5.4
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.